IPA DNS configuration using Response Policy Zone (RPZ).
IPA utilizes DNS extensively to locate service records (SRV) and text
records (TXT) associated with the Kerberos realm.
IPA also heavily require DNS A records and PTR records to function
correctly.
Normally all A,SRV,TXT,PTR records are part of the same DNS domain zone.
The following shows how to decouple IPA "TXT and SRV" records only, and
pass (forward) all other records to another internal DNS server when
required to have all records (except SRV and TXT) records in the other DNS
system.
Note: Below is very customized for specific environment, your environment
may be different. Just wanted to pass on this DNS trick.
Methodology used was to implement a BIND instance on at least two servers
and then configuring a Response Policy Zone (RPZ).
The RPZ is configured to respond to specific DNS records and forward other
DNS records onward to next hop DNS.
All A and PTR records should exist in the next hop DNS authoritative server.
As mentioned, the following solution is very specific to a unique
environment.
IPA members and clinet servers must have their primary/secondary DNS
resolvers set to the DNS RPZ BIND servers.
Steps
Create your Master and Slave Bind DNS where RPZ will be used (can be your
IPA server or any other server having Bind DNS installed)
Create Response Policy Zone (RPZ) files.
Test configuration.
Search below for "<your " for changes needed in your configuration.
nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ2-IP-address>
nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ1-IP-address>
nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ2-IP-address>
nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ1-IP-address>
nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ2-IP-address>
nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ2-IP-address>
nslookup -type=TXT _kerberos.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _kerberos-master._tcp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _kerberos-master._udp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _kerberos._tcp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _kerberos._udp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _kpasswd._tcp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _kpasswd._udp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=SRV _ldap._tcp.<your FQDN> <your
Bind-DNS-RPZ2-IP-address>
nslookup <your Bind-DNS-RPZ1-Host-FQDN> <your Bind-DNS-RPZ1-IP-address>
nslookup <your Bind-DNS-RPZ2-Host-FQDN>. <your Bind-DNS-RPZ1-IP-address>
nslookup -type=TXT _kerberos.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _kerberos-master._tcp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _kerberos-master._udp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _kerberos._tcp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _kerberos._udp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _kpasswd._tcp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _kpasswd._udp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=SRV _ldap._tcp.<your FQDN> <your
Bind-DNS-RPZ1-IP-address>
nslookup google.com <your Bind-DNS-RPZ2-IP-address>
nslookup google.com <your Bind-DNS-RPZ1-IP-address>
nslookup -type=ptr <your Bind-DNS-RPZ2-IP-address> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=ptr <your Bind-DNS-RPZ2-IP-address> <your
Bind-DNS-RPZ1-IP-address>
nslookup -type=ptr <your Bind-DNS-RPZ1-IP-address> <your
Bind-DNS-RPZ2-IP-address>
nslookup -type=ptr <your Bind-DNS-RPZ1-IP-address> <your
Bind-DNS-RPZ1-IP-address>
Will be referencing reverse.arpa zone 10.x.x.x internal network. Adjust as
necessary for your environment.
Appendix A: Primary IPA DNS /etc/named.conf file
# cat named.conf
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
#forward first;
forwarders {
<your Forwarder1>;
<your Forwarder2>;
};
response-policy {zone "<your RPZ-Zone-File-Name>"; };
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-credential "DNS/<your Bind-DNS-RPZ1-Host-FQDN>";
tkey-domain "<your Realm-FQDN>";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named
directory,
* so put the default debug log file in data/ :
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "<your RPZ-Zone-File-Name>" IN {
type master;
file "<your RPZ-Zone-File-Name>";
also-notify {<your Slave-DNS-RPZ-IP>;};
};
zone "10.in-addr.arpa" IN {
type forward;
forwarders {
<your Forwarder1>;
<your Forwarder2>;
};
};
include "/etc/named.rfc1912.zones";
# dynamic not used, remark out.
#dynamic-db "ipa" {
# library "ldap.so";
#};
Appendix B: Primary IPA DNS /var/named/<your RPZ-Zone-File-Name> file
$ORIGIN .
$TTL 86400 ; 1 day
<your Domain>.rpz IN SOA localhost. root.localhost. (
201505162150 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS localhost.
$ORIGIN <your FQDN>.rpz.
_kerberos TXT "<your Realm-FQDN>"
_ntp_udp SRV 0 100 123 <your Bind-DNS-RPZ1-Host-FQDN>".
$ORIGIN _tcp.<your FQDN>.rpz.
_kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
_ldap SRV 0 100 389 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 389 <your Bind-DNS-RPZ2-Host-FQDN>".
$ORIGIN _udp.<your FQDN>.rpz.
_kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
Appendix C: Secondary IPA DNS /etc/named.conf file
# cat /etc/named.conf
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
#forward first;
forwarders {
<your Forwarder1>;
<your Forwarder2>;
};
response-policy {zone "<your RPZ-Zone-File-Name>"; };
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-credential "DNS/<your Bind-DNS-RPZ2-Host-FQDN>";
tkey-domain "<your Realm-FQDN>";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named
directory,
* so put the default debug log file in data/ :
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "<your RPZ-Zone-File-Name>" IN {
type slave;
file "slaves/<your RPZ-Zone-File-Name>";
masters {<your RPZ-Zone-Master-DNS>";};
};
zone "10.in-addr.arpa" IN {
type forward;
forwarders {
<your Forwarder1>;
<your Forwarder2>;
};
};
include "/etc/named.rfc1912.zones";
# dynamic not used
#dynamic-db "ipa" {
# library "ldap.so";
#};
Appendix D: Secondary IPA DNS /var/named/slaves/<your RPZ-Zone-File-Name>
NOTE: Autogenerated by Master/Slave. Delete this file and then increment
SOA serial on Master. Reload Master named.
cat /var/named/slaves/<your RPZ-Zone-File-Name>
$ORIGIN .
$TTL 86400 ; 1 day
<your Domain>.rpz IN SOA localhost. root.localhost. (
3936666534 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS localhost.
$ORIGIN <your FQDN>.rpz.
_kerberos TXT "<your Realm-FQDN>"
_ntp_udp SRV 0 100 123 <your Bind-DNS-RPZ1-Host-FQDN>".
$ORIGIN _tcp.<your FQDN>.rpz.
_kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
_ldap SRV 0 100 389 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 389 <your Bind-DNS-RPZ2-Host-FQDN>".
$ORIGIN _udp.<your FQDN>.rpz.
_kerberos SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kerberos-master SRV 0 100 88 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 88 <your Bind-DNS-RPZ2-Host-FQDN>".
_kpasswd SRV 0 100 464 <your Bind-DNS-RPZ1-Host-FQDN>".
SRV 0 100 464 <your Bind-DNS-RPZ2-Host-FQDN>".
In conclusion.
RPZ is very powerful, DNS mangling in a way.
This scenario was how I was able to overcome a tough/strict DNS environment
that I had zero control of.
Regards
Jim Glenz
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
